Latest in Fluid

Image credit:

A reasonable response to Java security problems (Updated)

TJ Luoma, @tjluoma
01.11.13
Share
Tweet
Share

Sponsored Links

Update: According to The Mac Observer, Apple has acted proactively to block the Java browser plug-in on Mac machines with OS X 10.6 Snow Leopard or higher. If you are running an earlier version of OS X, then you should disable Java as noted below.

Update 2: In a remarkably speedy turnaround, Oracle has released a patched Java VM (release 11, listed as b21 internally) that closes this particular hole. Users who need Java installed are urged to update ASAP. You may have to update manually; Mike Rose reports that the auto-update feature on his machine ended up crashing the Java control panel.

A Java security flaw has been reported by CERT (the Computer Emergency Readiness Team). TheNextWeb has a good write-up of the background of the exploit's discovery.

Here's the bad news: there is no "fix" for the bug yet. Here's the worse news: it is believed that malicious sites on the web are already aware of this security hole, and are trying to exploit it.

Is your Mac at risk? Maybe. It is possible that your Mac does not even have Java installed. Apple stopped including Java by default with Lion. However, if you have run into any websites or software that needs Java, it may have prompted you to install it.

So what should you do? Well, here are some options:

  1. Stop using the Internet and go live in a yurt.
  2. Disable Java
  3. Uninstall Java
  4. Ignore it and hope that everything will be OK.

Hopefully you guessed that options 1 & 4 are the "Not Good" options, so that leaves us with two choices: Disable or Uninstall?

Here's my suggestion: if you are on Mac OS X 10.7 or 10.8 (Lion or Mountain Lion) have Java installed and you're not just one of those people who goes around installing things willy-nilly, my guess is that you have (or had) some software program that relies on Java. If you uninstall it, something might break and you might not be able to figure out why.

However, if you disable Java in whichever browser(s) you use regularly, you can continue to use your web browser without worrying about this exploit. If you find a website that uses Java, you can turn it on, do what you need to do, and then turn it off again.

Safari Users: you can easily disable Java by going to Safari's Preferences, then choose the Security tab, and uncheck the appropriate box:

Google Chrome users need to go to chrome://plugins

Firefox users: Go to the "Tools" menu, then "Add-ons" (or ⌘ + Shift + A) and choose the "Plugins" tab. Then click the 'disable' button next to Java Applet Plug-in.

"But I need Java for these sites I use every day!"

OK, so that's the reasonable response that I think will work for most people, but if you happen to be one of the people who needs to use Java every day for a specific set of websites all is not lost.

In fact, there's a very easy solution called Fluid.app. This one might seem a little nerdy, but once you set it up, it's quite easy.

We've mentioned Fluid.app on TUAW in the past and it's one of my favorite tools. With Fluid.app you can make a "standalone" web browser with its own set of preferences, including Java. You can find these settings in your Fluid.app browser under 'Settings':

But wait! he said in his best made-for-TV voice There's more!

Fluid.app will also let you say exactly which websites (domains, URLs, etc) that you want to use with that browser. Go to the "Whitelist" preferences and enter the domains, like this:

Now that the rule that I have will allow me to visit any URL that includes www.google.com. You can add more sites using the + at the bottom of the window.

Add all of your known and trusted sites which use Java. If you come across a link to a different site, it will automatically send you over to your regular browser (where you have disabled Java). Using this system you can have the security of having Java disabled, but still have the convenience of being able to use it on sites that you trust.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Lebanon plans to charge a fee for internet voice calls

Lebanon plans to charge a fee for internet voice calls

View
California's Earthquake Early Warning system rolls out statewide

California's Earthquake Early Warning system rolls out statewide

View
Motorola invite hints at a 'reinvented' RAZR

Motorola invite hints at a 'reinvented' RAZR

View
Get $24 off the Nintendo Switch on Amazon

Get $24 off the Nintendo Switch on Amazon

View
Supreme’s burner phone is a hypebeast’s dream

Supreme’s burner phone is a hypebeast’s dream

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr